Federal Act on Data Protection (FADP)

Federal Act on Data Protection (FADP)

FADP | Federal Act on Data Protection

On September 25, 2020, the Swiss Federal Assembly definitively approved the new Federal Data Protection Law (LPD) and the Data Protection Ordinance (OPDa), which will come into effect on September 1, 2023.

FEDERAL ACT ON DATA PROTECTION

Innovation and institutions provided for by the law

Scope of the Federal Act

The Federal Act on Data Protection applies to all cases (i.e. all personal data processing operations) whose effects are in Switzerland, even if they take place outside the country.

Profiling

High-risk profiling provides special protection for Swiss nationals against certain types of automated profiling with high risks for the personality or fundamental rights.

Consent

Explicit consent of data subjects is required when processing involves:
- personal data worthy of particular attention
- high-risk profiling
- profiling processes carried out by a Swiss Federal Body.

Security of Personal Data

The level of security shall be appropriate to the risks presented by the processing in order to prevent data security breaches. The Federal Assembly of the Swiss Confederation will issue a minimum set of security measures.

Data Protection Advisor

Private Data Controllers shall appoint a Data Protection Advisor (DPA), called Data Protection Officer (DPO) in the General Data Protection Regulation (GDPR).

Records of Processing Activities

Data Controllers and Data Processors shall maintain a record of processing activities that must include the purpose of the processing, data categories and other significant information.

Data Breach Notification

Data Controllers shall without undue delay notify any personal data breach to the Federal Data Protection and Information Commissioner (FDPIC) when such data breach poses a high risk to the personality or fundamental rights of the data subjects.

Data Processing operations carried out by Data Processors

If the Data Controller entrusts another entity with processing, this latter (namely the Data Processor) must not process the data otherwise than according to the Controller's instructions and must guarantee security of personal data.

Obligation of EU and non-EU companies to appoint a representative

All EU and non-EU companies without any office or domicile in Switzerland that process personal data of Swiss citizens shall appoint a representative in the Swiss Confederation.

Right of the data subject

Data subjects shall have the right to obtain information on data collection. The Federal Act introduced the data subject right to data portability.

Data protection impact assessment

In some cases the Data Controller must carry out a Data Protection Impact Assessment (DPIA).

Sanctions

The Federal Act has strengthened the powers of the Federal Data Protection and Information Commissioner (FDPIC), that now possesses broad and encompassing powers to investigate. Sanctions will be applicable to natural persons only, whereas companies can be sanctioned in well-defined cases only.

Scope of the Federal Act

The Federal Act on Data Protection applies to all cases (i.e. all personal data processing operations) whose effects are in Switzerland, even if they take place outside the country.

Profiling

High-risk profiling provides special protection for Swiss nationals against certain types of automated profiling with high risks for the personality or fundamental rights.

Consent

Explicit consent of data subjects is required when processing involves:
- personal data worthy of particular attention
- high-risk profiling
- profiling processes carried out by a Swiss Federal Body.

Security of Personal Data

The level of security shall be appropriate to the risks presented by the processing in order to prevent data security breaches. The Federal Assembly of the Swiss Confederation will issue a minimum set of security measures.

Data Protection Advisor

Private Data Controllers shall appoint a Data Protection Advisor (DPA), called Data Protection Officer (DPO) in the General Data Protection Regulation (GDPR).

Records of Processing Activities

Data Controllers and Data Processors shall maintain a record of processing activities that must include the purpose of the processing, data categories and other significant information.

Data Breach Notification

Data Controllers shall without undue delay notify any personal data breach to the Federal Data Protection and Information Commissioner (FDPIC) when such data breach poses a high risk to the personality or fundamental rights of the data subjects.

Data Processing operations carried out by Data Processors

If the Data Controller entrusts another entity with processing, this latter (namely the Data Processor) must not process the data otherwise than according to the Controller's instructions and must guarantee security of personal data.

Obligation of EU and non-EU companies to appoint a representative

All EU and non-EU companies without any office or domicile in Switzerland that process personal data of Swiss citizens shall appoint a representative in the Swiss Confederation.

Right of the data subject

Data subjects shall have the right to obtain information on data collection. The Federal Act introduced the data subject right to data portability.

Data protection impact assessment

In some cases the Data Controller must carry out a Data Protection Impact Assessment (DPIA).

Sanctions

The Federal Act has strengthened the powers of the Federal Data Protection and Information Commissioner (FDPIC), that now possesses broad and encompassing powers to investigate. Sanctions will be applicable to natural persons only, whereas companies can be sanctioned in well-defined cases only.
BE SURE TO STAY UP-TO-DATE

Request an advice

In order to get information about our services, fill the contact form so one of our representatives will contact you as soon as possible.

+41 91 921.00.38

info@privacydesk.ch

By clicking on SEND you declare that you have read the privacy notice for purposes a) and b) – privacy policy pursuant to LPD.

© 2023 Privacy Desk Suisse SA. All right reserved    |   Privacy Desk Suisse SA    |   6900 Lugano, Corso Elvezia n. 16     |   Privacy Notice    |   Cookie Policy